Forwarded port not working under Wireguard Server

Some quick basic information
Router: Flint 2
Firmware: 4.6.4
I'm using dhcp (with reservation for the server in question)
The router is the main router and is directly connected to the modem from Comcast

This is a fairly niche issue, but basically I have a server on my network that I want to be reachable through the Wireguard server, I was able to set that up fairly easy. I recently setup https for some services that I want available outside my network and local https for some other services as well.

My network is accessible through the domain I use since I set it up to use ddns (through Cloudflare scripts) and the router port forwards correctly to the server on the network. But under the wireguard tunnel it seems to not port forward correctly since the urls that previously correctly went to the server all go to the router instead.

I did some further testing and found that I can actually get this to work by port forwarding port 443 from the wireguard zone (although this also forwards every request to the server, so all urls will result in incorrect certs since it is attempting to get them from the server in my network)

Is there a way to get the router's port forwards working under the wireguard tunnel? I am able to connect to the server no problem through ip and the allow local access from the tunnel. Just trying to access through the domain causes the port forward to fail for some reason.

Any help would be greatly appreciated.

Seems similar to this issue of the router dnamasq, please refer to this thread:

SSH to router, and execute the commands.

Sorry for the late reply and thank you for the response. I ran the commands in the thread and it seems to still route requests to the router instead of the port forwarded server. Is there some additional rules that need to be setup for the wireguard server or is there a way to route the domain to the local ip address through route rules to get this working? Thanks again for your help.

May I know what domain name you visit in the WireGuard VPN tunnel?
Local custom domain name or public domain name?

public domain, sorry should have made that clear, when I say I'm using local https, I'm really just using regular https with a public domain and with access restricted to my local network on certain subdomains (this restricted access isn't the problem yet since the request never reaches the server in the first place). I'm using a reverse proxy (specifically SWAG) to facilitate this.

Doing some more research it seems to be the base wireguard configuration setup, I found some issues (mostly from pfsense and opensense) that touch upon some possible ways to fix it however I haven't found a clear solution that can be applied to the router. Here is what I found so far.

Could be related, but seems to be about something else:

I'm going to try a couple basic changes to see if I can get it to work, and I'll update if I found anything else or fix the issue.

Finally got it working, turns out I'm somewhat dumb, I ended up using a port forward, but just had to limit the external port to the eth interface.

To be exact I just setup the port forward as usual:


With the internal ip address being the machine you are forwarding to (like a regular port forward)

Then in the advanced settings you set the "external ip address" to the interface that has your public ip (99.99% of the time it's probably a eth interface I believe):

This seems to work as I expect, but I suspect that it will block access to the router if you forward the same port that the webui is using for http\s access. For my setup this seems to work perfectly, and as such I'll mark it as solved, if someone finds a better solution feel free to chime in.

1 Like